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SECURE COMPUTATIONAL OUTSOURCING TECHNIQUES 

CROSS-REFERENCE TO RELATED APPLICATIONS 
The present application claims the benefit of commonly owned U.S. 
Provisional Patent Application Serial Number 60/085,515, filed 14 May 1998 which 
is hereby incorporated by reference in its entirety. 

BACKGROUND OF THE INVENTION 
The present invention relates to computer security techniques, and more 

particularly, but not exclusively, relates to techniques to provide more secure 

outsourcing of computations. 

Rapid growth in the area of computer technology, including networking 

schemes like the internet, has facilitated the transmission of data from a processing 

system at one site (the customer) to another site (the agent) to perform certain 

computations. Such "outsourcing" of certain computations may be desired, for 

1 

example, when the customer lacks the hardware resources, software resources, or 
other know-how to cost-effectively perform the computations. 

In one example, outsourcing is utilized in the financial services industry, 
where, for instance, the customer data includes projections of the likely future 
evolution of certain commodity prices, interest and inflation rates, economic statistics, 
portfolio holdings, etc. In another example, outsourcing is utilized in the energy 
services industry, where the proprietary data is typically seismic, and can be used to 
estimate the likelihood of finding oil or gas at a particular geographic spot in question. 
The seismic data may be so massive that the performance of corresponding matrix 

1 
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multiplication and inversion computations would be beyond the resources of most 
major oil companies. Many other industries can also benefit from outsourcing. 

With the advent of computational outsourcing, concerns regarding the agent's 
misappropriation of customer data or the computational results have arisen. These 
concerns arise not only with the customer, but also with an agent .who wants to reduce 
the risk of misappropriation by its employees. One proposed scheme is to utilize 
standard cryptographic techniques to encrypt the data sent by the customer to the 
agent. While encryption may enhance security with respect to an attacking third 
party, it still requires that the agent have access to at least some of the cryptographic 
information, such as encryption/decryption keys, to perform a meaningful calculation. 
As a result, this scheme still provides the agent ready access to the actual data. 
Moreover, such schemes assume the agent will be a permanent repository of the data, 
performing certain operations on it and maintaining certain predicates. In many 
instances, this situation is also undesirable. Thus, there is a demand for techniques to 
improve the security of outsourced computations. 
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SUMMARY OF THE INVENTIONS 

One form of the present invention is a unique computational technique. 
5 A further form of the present invention is a unique system or method of 

disguising larguments to be submitted to a computation. 

Another form of the present invention is a unique system or method to 
perform a computation on disguised arguments and return a disguised result. 

Yet another form of the present invention is a computer readable medium that 
1 0 uniquely defines computer programming instructions to hide a group of actual 
arguments for a computation to be outsourced. 

Still another form of the present invention is a computer data transmission 
medium that includes a number of uniquely disguised arguments. These disguised 
arguments are sent via the medium to a site that performs an outsourced computation 
1 5 with the disguised arguments. 

i 

Thd above-described forms of the present invention may be practiced in the 
alternative or in combination. Further, the above-described forms are merely 
illustrative and should not be considered restrictive or limiting, it being understood 
that other forms, features, aspects, objects, and embodiments of the present invention 
20 shall become apparent from the drawings and description contained herein. 
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BRIEF DESCRIPTION OF THE DRAWINGS 



Fig. 1 is a diagrammatic view of one system according to the present 
invention. 

Fig. 2 is a flow chart of one process performed according to the present 
invention with the system of Fig. 1 . 

Fig. 3 is a block diagram of selected operational elements for disguising 
arguments according to the process of Fig. 2. 

Fig. 4 is a block diagram of selected operational elements for recovering 
actual answer from a disguised result according to the process of Fig. 2. 
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DESCRIPTION OF THE PREFERRED EMBODIMENTS 

For the purpose of promoting an understanding of the principles of the 
invention, reference will now be made to the embodiments illustrated in the drawings 

5 and specific language will be used to describe the same. It will nevertheless be 
understood that no limitation of the scope of the invention is thereby intended. Any 
alterations and further modifications in the described embodiments, and any further 
applications of the principles of the invention as described herein are contemplated as 
would normally occur to one skilled in the art to which the invention relates. 

10 Fig. 1 illustrates system 20. System 20 includes data gathering and processing 

subsystem 30 and computing center 50. Subsystem 30 is alternatively depicted as 
customer C, and computing center 50 is alternatively depicted as agent A. Subsystem 
30 includes at least one computer 32. Computer 32 has memory 34, at least one input 
(I/P) device 36, and at least one output (O/P) device 38. Computing center 50 

15 includes at least one computer 52 with memory 54, at least one input (I/P) device 56, 

I 

and at least one output (O/P) device 58. Memories 34, 54 each define at least one 
computer readable medium that is accessed by computers 32, 52, respectively. 

In one example, computers 32, 52 are of the programmable, digital variety 
and, memories 34, 54 are comprised of one or more components of the solid-state 
20 electronic type, electromagnetic type like a hard disk drive, optical type like a 

Compact Disk Read Only Memory (CD ROM), or a combination of these. In other 
embodiments, computer 32 or computer 52 and/or memory 34 or memory 54 may be 
otherwise configured as would occur to those skilled in the art. Typically, computers 
32, 52 will differ in some regard with respect to one another as more fully explained 

5 
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hereinafter; however, other embodiments of the present invention may include 
computers 32, 52 that are substantially the same. 

Input devices 36, 56 may include standard operator input devices such as a 
keyboard, mouse, digitizing pen, dedicated equipment for automatically inputting 
data, or such other devices as would occur to those skilled in the art. Output devices 
3 is, 58 may include one or more displays, printers, or such other types as would occur 
to those skilled in the art. Further, input devices 36, 56 or output devices 38, 58 may 
be in the form of components that perform both input and output operations such as 
one or more modems or other communication links. Such components may 
alternatively be considered a computer transmission medium to sending and receiving 
data. 

Fig. 1 depicts network 40 communicatively coupling subsystem 30 and 
computing center 50. Network 40 may be an internet connection or other form of 
network as would occur to those skilled in the art. Further, portable memory medium 
42 is shown as another means of exchanging data between subsystem 30 and 
computing center 50. Portable memory medium 42 may be in the form of one or 
more electromagnetic disks, tapes, or cartridges, optical disks, or such other form as 
would occur to those skilled in the art. It should be appreciated that network 40 and 
medium 42 may each be considered as being one of input devices 34, 54 and/or one of 
output devices 38, 58; and alternatively may each be regarded a type of data 
transmission medium for the transmission of computer data. 

Referring also to Fig. 2, outsourcing process 120 is illustrated. In stage 131 of 
process 120, subsystem 30 identifies and collects a group of actual arguments AA for 
a computation to be outsourced. As used herein, "argument" refers broadly to any 

6 
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symbol, value, function, description, code, or other mathematical object that is input 
to a computation. 

Typically, subsystem 30 is not as desirable as computing center 50 for 
performance of the computation designated for outsourcing. This distinction may 
arise from one or more differences relating to hardware, software* operator expertise, 
or available processing time. However, in other embodiments, the decision to 
outsource a particular computation may be independent of any such differences. 

Once arguments are determined in stage 131, the outsourced mathematical 
computation is classified into one of a number of types in stage 133. A nonexclusive 
listing of computation types that may be good candidates for outsourcing is provided 
in table I as follows: 



No. 


Type 


1. 


Matrix Multiplication 


2i 


Matrix Inversion 


3. 


Solution of a Linear System of Equations 


4. 


Quadrature 


5. 


Convolution 


6. 


Numerical Solution of Differential Equations 


7. 


Optimization 


8. 


Solution of a Nonlinear System 


9. 


Image Edge Detection 


10. 


Image Template Matching 
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11. 


Sorting 


12. 


Character String Pattern Matching 



Table I 



It should be appreciated that the list of Table I is merely illustrative, and that other 
5 types of outsourced computations and classifications may be utilized in other 
embodiments. 

After classification, process 120 resumes with operation 220 to determine a set 
3 of disguised arguments DA based on the outsourced computation classification and 

•j; the actual arguments AA. Disguised arguments DA are created in operation 220 to 

] *j 1 0 hide the nature of actual arguments AA from the agent A selected to perform the 

^ outsourced computation, but at the same time permit recovery of a meaningful actual 

■j? answer SA by customer C from data provided by the computation. Several 

S nonexclusive examples of the preparation of disguised arguments DA and recovery of 

5 t 

^ actual answfer SA are provided hereinafter in connection with the description of Figs. 

15 3 and 4. 

Once disguised arguments DA are prepared, subsystem 30 (customer C) sends 
disguised arguments DA to computing center 50 (agent A) to perform the outsourced 
computation in stage 135. The transmission in stage 135 may also include 
instructions regarding the type of outsourced computation. Alternatively, the nature 

|I t 

20 of the computation may be established either before or after disguised arguments DA 
are sent. Disguised arguments DA and any instructions concerning the outsourced 
computation to be performed may be transmitted to computing center 50 via network 

8 
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40, through portable computer readable medium 42, a combination of these, or 
through such other means as would occur to those skilled in the art. 

In stage 151, computing center 50 performs the designated computation with 
disguised arguments DA. For example, computer 52 may execute programming 

5 instructions stored in memory 54 to perform this computation. In' one example, 

computer 52 of computing center 50 is programmed to perform several different types 
of computations including one or more of those listed in Table I. Because disguised 
arguments DA are used, the result of the outsourced computation performed by 
computing center 50 typically differs from the actual answer SA that would have 

10 resulted if the outsourced computation had been performed with the actual arguments 
AA. The result for the computation performed with disguised arguments DA is then, 
in turn, hidden or disguised and is designated as disguised result DR. Computing 
center 50 sends disguised result DR back to subsystem 30 in stage 152. Subsystem 30 
receives disguised result DR in stage 161 and recovers the desired actual answer SA 

1 5 in operation 260. The recovery of actual answer S A is described in greater detail in 
connection with Figs. 3 and 4 and the examples that follow. 

It should be appreciated that disguised arguments DA and disguised result DR 
are the only information provided to computing center 50, such that the true nature of 
the data and answer for the selected outsourced computation are hidden through 

20 process 120. Consequently, a measure of security is provided by outsourcing process 
120 relative to simply trusting agent A with the actual arguments AA and/or actual 
answer SA. Further, the degree of security may be varied in accordance with the 
particular nature of the outsourced computation and various parameters associated 
with operations 220 and 260 of process 120. 
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Referring additionally to the block diagrams of Figs. 3 and 4, the preparation 
of disguised arguments DA and the recovery of actual answer SA are further 
described as performed by operations 220 and 260, respectively. Figs. 3 and 4 both 
include a block representative of outsourcing security program 230. Program 230 
resides in memory 34 and is configured to be executed by computer 32. In Fig. 3, 
program 230 receives actual arguments AA as input 222. Program 230 also receives 
input 224. Input 224 indicates the type of outsourced computation as determined 
through the classification performed in stage 133. 

Program 230 has access to one or more pseudorandom number generators 232 
residing in the form of one or more executable subroutines in memory 34. Also, 
memory 34 includes disguise library 234. Library 234 includes a number of different 
forms of argument disguise operations one or more of which are used to form a given 
set of disguised arguments DA. Various classes of the disguised operations are listed 
in table II that follows: 



No. 


Class 


1. 


Random Objects 


2. 


Linear Operator Modification 


3. 


Object Modification 


4. 


Domain and/or Dimension Modification 


5. 


Coordinate System Modification 


6. 


Identities and Partitions of Unity 



Table II 
10 



4-48409/7024-395 



The listing of Table II is meant to be merely representative, it being understood that 

i 

other forms and classes of disguises may alternatively or additionally be included as 
would occur to those skilled in the art. 

The first class of disguises are random objects: numbers, vectors, matrices, 
permutations, or functions, to name a few. These objects are "mixed into" the 
computation in some way to disguise it, and are at least in part created from random 
numbers. If the numbers are truly random, then they should be saved in record 236 
for use in the disguise and recovery of actual answer SA. If the random numbers 
come from a pseudorandom number generator, such as generators 232, then it is 
sufficient to save the seed and parameters of the generator in record 236. 

Under some circumstances, it may be desirable to hide as much information 
as possible about the characteristics of the random number generation technique 
utilized. It should be appreciated that once the distribution characteristics are known, 
it may become easier to detect true data being obscured by the random numbers. For 
example, if random numbers generated uniformly in some interval centered at zero 
where each added to a different entry of a large vector to be hidden, the random 
values would not do a good job of "hiding" the true values of the vector entries 
because the sum of the modified vector entries would be very close to the sum of the 
true value entries of the vector given the relationship of the random values to zero. 

In one embodiment, rather than using a pseudorandom number generator with 
the same probability distribution for every random number utilized, the exact form of 
distribution used may be varied from one random value to the next. Thus, random 
number generators 232 may each have a different distribution to better hide their 

11 
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corresponding probabilistic characteristics. For this approach, random number 
generators 232 may further be arranged to provide a one-time random sequences. To 
illustrate, let four random number generators 232 be designated as: Gl = a uniform 
generator with upper range and lower range parameters; G2 = normal generator with 
mean and standard deviation parameters; G3 - exponential generator with mean and 
exponent parameters; and G4 = gamma generator with mean and shape parameters. 
Thus, for this illustration each generator G1-G4 has a different pair of distribution 
parameters. Twelve random numbers are selected: the first 8 are the parameter pairs 
of the four generators G1-G4 and the other four, are the ai, a2, (X3, 04 coefficients used 
to create the one time random sequence, as indicated by expression (1) that follows: 

ctiGl + a 2 G2 + a 3 G3 + a 4 G4 (1) 
Note that in creating this one set of random numbers, a total of 16 numbers are used, 
the 8 generator parameters, the 4 coefficients cti- 04, and 4 seeds for generators Gl- 
G4, respectively. In other embodiments, a different number and configuration of 
random number generators may be utilized to provide a desired set of random 
numkers. Im one alternative embodiment, the desired level of security for a given 
problem not require more than one random number generator to provide desired 
random objects. For still another embodiment, random numbers may not be used at 
all, instead utilizing other disguise operations according to the present invention. For 
this embodiment, generators 232 may be absent. 

One way security techniques based on random numbers might be defeated 
includes a type "statistical attack" that attempts to derive information about a given 
random number generator through matching the numbers to those produced by known 
random number generation techniques. Typically, the amount of processing needed 

12 
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to derive such information for robust random number generators is cost prohibitive. 
However, this type of attack may still be of concern in alternative embodiments where 
a higher level of security is desired - especially with the rapid advancement of 
computer processing technology. 
5 Correspondingly, in addition to the one-time random sequence generation 

techniques previously described in connection with expression (1), the resistance of 
random number generators to a statistical attack in such alternative embodiments may 
be addressed by: (a) using random number generators 232 with real valued 
parameters having at least a 32 bit length whenever possible; (b) restarting random 

1 0 number generators 232 from time-to-time with new input values; and/or (c) changing 
the type of random number generators 232 used from time-to-time. 

Another type of statistical attack is to attempt to determine the parameters of 
the probability distribution used to generate a group of random numbers. For this 
type, one can estimate the moments of the probability distribution by computing the 

15 moments of a collected sample of generated random numbers. The mean of the 

sample of size N converges to the mean of the distribution with &n error that generally 

behaves according to 0(1/ V^V ); where the function 0(\I^[n ) corresponds to 

processing time on the order of 1/ 4n . While this rate of convergence is slow, a 
large sample of 10,000,000 may be utilized to provide estimates of moments with 
20 accuracy of about 0.03%. An alternative embodiment may be arranged to address this 
parameter-based statistical attack by: (a) using random number generators 232 with 
complex probability distribution functions to increase the number of different 
moments that need the attacker needs to defeat the security; (b) restarting the random 
number generator from time-to-time with new input values such that the sequence size 

13 
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generated with a given value is restricted; and (c) increase the number of parameters 
utilized to characterize the random number generator probability distribution function. 

Once random numbers have been provided using one or more of these 
embodiments, then random vectors, matrices, and arrays may be generated using 
standard techniques. Random objects with integer (or discrete) values, such as 
permutations, also can be created from random numbers using standard techniques. 

Random objects may further include determining one or more random 
functions in accordance with a set of random numbers. One embodiment of a random 
function determination routine that may be provided in program 230 begins with the 
selection of the dimension or basis of a corresponding function space F. Typically the 
basis should be relatively high to promote a greater degree of security. For example, 
a basis of 10 or 30 functions for a high dimensional space F of functions may be 
selected. Next, a random point in F is determined with one or more generators 232 to 
obtain a random function. The selection of the basis and other parameters, such as the 
domain and range of the desired random functions should be selected to be 
compatible with the computation to be disguised and generally should have high 
linear independence when a stable inversion of disguised results DR is desired. 

To provide space F as a one-time random space, the following process may be 
included in the routine: 

(a) Define the domain of the computation to correspond to a box 
(interval, rectangle, box, or other corresponding construct depending on the 
selected dimension). 
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(b) Select a random rectangular grid in the box with 10 lines in 
each dimension and assure a minimum separation. 

(c) Generate K sets of random function values at all the grid points 
(including the boundaries), one set for each basis function desired (these 
values are selected to be in a desired range). 

, (d) Interpolate these values by cubic splines to create.K basis 
functions. The cubic splines may be formed in accordance with C. deBoor, A 
practical Guide to Splines , SIAM Publications, (1978) which is hereby 
incorporated by reference in its entirety. It should be appreciated that cubic 
splines are smooth and have two continuous derivatives. 

(e) Add to this set of K basis functions a basis for the quadratic 
polynomials. 

This approach can be modified to make many kinds of one-time random spaces of 
functions. If functions with local support are needed, the cubic splines may be 
replaced with Hermite quintics as described in deBoor. If it is desirable for the 
functions to vary more in one part of the domain than another, then the grid may be 
refined in the corresponding part. If it is desirable for the functions to be more or less 
smooth, then the degree of smoothness of the cubic splines may be adjusted as 
appropriate. In still other embodiments, other techniques of random function 
generation may be utilized as would occur to those skilled in the art. 

One way an attacker might try to defeat disguises based on random functions 
is through an "approximation theoretic attack." This type of attack can based on 
observations about the approximating power of the disguised functions. In one 
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example, let u(x) be an original function, and f(x) be a disguise function in function 
space F such that g(x) = u(x) + f(x) is observable by agent A. Agent A may evaluate 
g(x) arbitrarily and, in particular, agent A might (if F were known) determine the best 
approximation g*(x) to g(x) from F. Then the difference g*(x) - g(x) equals 
u*(x)- u(x) where u*(x) is the best approximation to u(x) from F. ■ Thus g*(x) - g(x) is 
entirely du? to u(x) and gives some information about u(x). 

An alternative embodiment arranged to address an approximation theoretic 
attack includes choosing F to have very good approximating power so that the size of 
g*(x) - g(x) is small. For example, if u(x) is an "ordinary" function, then including in 
F the cubic polynomials and the cubic splines with 5 or 10 breakpoints (in each 
variable) generally improves approximation power. If u(x) is not "ordinary" (e.g., is 
highly oscillatory, has boundary layers, has jumps or peaks) then including functions 
in F with similar features reduces the ability of agent A to discover information about 
u(x) from g(x). Another aspect that makes this kind of attack more difficult is to 
establish F as a one-time random space as previously described. For this aspect, 
because F itself is then unknown, the approximation g*(x) cannot be computed 
accurately and any estimates are correspondingly less uncertain. Still a further aspect 
is to approximate the function object u(x) with high accuracy, such as a variable 
breakpoint piecewise polynomial, and adding one or more disguise functions with the 
same breakpoints and different values. Yet, in other embodiments, it may not be 
desired to take additional measures to address a statistical attack, an approximation 
theoretic attack, or both. 

The second class of disguise operations include linear operator modification; 
where the operator equation is of the form Lu = b. For example, the linear and 
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differential equations of the following expressions (2) and (3), respectively, are of this 
form: 

linear equations: Ax - b (2) 

differential equations: y ' ' + cos(x)y ' + x 2 y = 1 - xe ~ x (3) 

5 This second class of disguises exploits linearity by randomly choosing v like u, i.e., v 
is the same! type of mathematical object, and then solving L(u + v) = b + Lv; where Lv 
is evaluated to be the same mathematical object type as b. In one embodiment, v is 
selected to be a combination of a random function and functions that already appear in 
the equation. For example, one could choose v(x) in the above differential equation 
10 (3) to be VRan(x) + 4.2cos(x) - 2.034xe" x ; where VRa n (x) is the random function 

component. In still other embodiments, different substitutions may be made as would 
occur to those skilled in the art. 

A third class of disguise operations modify various mathematical objects of 
the computation to be outsourced. Such modifications may include addition or 
15 multiplication to disguise the computation. One example of an objection modification 
disguise is to add a random function to an integral as exemplified by expression (4) 
that follows: 



JVxcos(x+3) (4) 



In another example of object modification, the solution of the Ax = b may be 
20 disguised by multiplying with 2 random diagonal matrices, Di and D2, to provide B = 
Di AD2 with subsystem 30; where A is an n x n matrix and b is a corresponding vector 
of n. The resulting matrix B is then provided as part of the outsourced computation of 
expression (5) as follows: 
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By = D!b (5) 
The solution x is then obtained from x=D 2 y. 

In a fourth class of disguises, the domain or dimensions, are modified. 
Modification techniques may include expansion, restriction, splitting or 
rearrangement. In an example of expansion, the evaluation of the integral of 
expression (6) that follows: 

i 

JVxcos(x+3) (6) 

o 

or solution of the problem of related type on [3,5] as shown in expression (7) that 
follows: 

y'(x) = (x + y)e- xy , y(3) = l (7) 

can be modified by expanding [0,1] to [0,2] and [3,5] to [2,5], respectively. In the 
case of expression (6), a random function u(x) is selected from function space F with 
u(l) = cos(4); it is integrated on [1,2]; and -fx cos(x + 3) is extended to [0,2] using 
u(x). In the' second case of expression (7), a random function u(x) is selected from 
function space F with u(3) = 1 and u'(3) = 4e ~ 3 . Its derivative u'(x) and its value u(2) 
are computed, and the following expressions (8) is solved with initial condition y'(2) 
= u>(2): 

y'(x) = (x + y)e" xy on [3,5] (8) 
. = u*(x) on [2,3] 



In an example of restriction, the dimension of a linear algebra computation is 
decreased by performing a part of it with subsystem 30, and outsourcing the rest, for 
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example, in solving Ax = b, (where A is an n x n matrix and b a corresponding vector 
of dimension n), one of the unknowns is selected and eliminated by Gauss elimination 
at random by customer C (subsystem 30); and the remaining computation is then sent 
to the agent A (computing center 50). Correspondingly, the order of the matrix 
changes by 1 and, further, it modifies all the remaining elements of A and b. 

In ^n example of splitting, a problem is partitioned into equivalent 
subproblems by splitting the domain. In the case of quadrature, this technique may be 
readily applied. The linear algebra problem Ax = b, (where A is an n x n matrix and b 
a corresponding vector of dimension n), can split by partitioning in accordance with 
the following expression (9): 



A= 



v 



Ai A 

An A^> 



(9) 



and creating two linear equations as shown in following expressions (10) and (1 1): 
Anxi = bi - Ai 2 x 2 (10) 
(A 22 - A 2 i Air 1 A 12 )x 2 = b 2 - A n -i bi (1 1) 

■ i 

In another example, the differential equation problem of the following 
expressions (12): 

y'(x) = (x + y)e" xy and y'(3) = 1 on [3,5] (12) 

can be split into the expressions (13) and (14) that follow: 

y'(x) = (x + y)e- xy y'(3) = 1, on [3,4] (13) 
y'(x) = (x + y)e _xy y'(u) - as computed, on [4,5] (14) 



19 



4-48409/7024-395 

Accordingly, splitting may be utilized to disguise different computation parts in 
different ways. 

A fifth class of disguise operations include utilizing one or more coordinate 
system changes. A related disguise for discrete problems, such as a linear algebra 
computations, are permutations of the corresponding matrix/vector indices. 
Coordinate system changes have been found to be particularly effective for enhancing 
security of outsourced computations concerning optimization and solutions to 
nonlinear systems. For example, consider the two-dimensional partial differential 
equation (PDE) problem of the following expression (15): 

V 2 /(^y) + (6-2 + 12sin(x + y))/ = fli(x,y) (s,y) in R 

/(x,y)=6i(*,y) (x,y) in Ri W 

2qg*> + »(x,y)/(x,y) - b z (x,y) (x, y) in R z 

where R u R 2 , and R 3 comprise the boundary of R. To implement the change of 
coordinates, u = u(x,y), v = v(x,y), one must be able to: invert the change, that is find 
the functions x = x(u,v), y = y(u,v) and compute derivatives needed in the PDE as 
given in the following expression (16): 

\dx* ) + dudx* + dv* \dx) ^ dvdx 2 K } 

The change of coordinates produces an equivalent PDE problem on some domain D 
in (u,v) space of the form given by the following expression (17): 



20 



4-48409/7024-395 



\ ff 



/(«, v) = c 2 (ix, u) (u, t>) 6 S 2 



5 where Si, S2, and S3 are the images of Ri, R2, R3 and the functions ay(u,v), hi(u,v), 
Cj(u,v) 5 dj(u,v) are obtained from substituting in the changes of variables and 
collecting terms. 

There are a number of coordinate changes where the inverse is known 
explicitly. In cases where the availability of this knowledge may unacceptably 

10 compromise security, other coordinate changes may be utilized by determining the 
inverse numerically. In one embodiment, the procedures described to create one-time 
coordinate changes using parameterized mappings with randomly chosen parameters 
in C. J. Ribbens, A fast adaptive grid scheme for elliptic partial differential equations , 
ACM Trans. Math. Softw., 15, (1989), 179-197; or C. J. Ribbens, Parallelization of 

1 5 adaptive grid domain mappings . In Parallel Processing for Scientific Computing, (G. 

■ i 

Rodrique, &L), SIAM, Philadelphia, (1989), 196-200) may be utilized to numerically 
determine inverses for this class of disguise and are hereby incorporated by reference 
in their entirety herein. In one variation of this embodiment, coordinate changes in 
the variables are made independently - that is: u = u(x) and v = v(y). 
20 A sixth class of disguises include substitution with equivalent mathematical 

dbjects, such as identities, and partitions of unity. It has been found that this type of 
disguise improves security even when random objects are readily separated from 
"actual" objects of a given computation. 
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Examples of identities that might be utilized in this way include the following 

collection of expressions (18): 

a 2 -ac + ^ = (a 3 +a: 3 )/(a + x) (18) 
log(xy) = log x + logy 
l + x = (l-x 2 )/(l-x) 
sin(x + y) = sin x cos y + cos x sin y 

cos 2 x - sin 2 y + cos (x + y) cos(x - y) ■ 

pcosx + «sin(y) = v^T^cos^ - cos" 1 (p/^P 2 + 
sin(3(i + y)) = 3sin(x + y) - 4sin 3 (x + y) 

Thus, if any component of these identities appears symbolically in a computation, the 
equivalent expression can be substituted to disguise the problem. A general source of 
useful identities for this class of disguise comes from the basic tools for manipulating 
mathematics, e.g., changes of representation of polynomials (power form, factored 
form, Newton form, Lagrange form, orthogonal polynomial basis, etc.), partial 
fraction expansions or series expansions. Other relations that may be useful in 
disguises of this kind include the Gamma, Psi, and Struve functions as respectively 
defined by expressions (19)-(21) as follows: 

r(x+l) = xr(x); (19) 

• I 

1 y,(x+l) = y(x) +l/x; and (20) 
H 1/2 (x) = (2/tcx) 1/2 (1-cosx). (21) 
The functions of expressions (19)-(21) can be combined with selected expressions 
(18) to provide the following identity expressions (22) and (23): 

sin(x) = [sin(Kl + 1/x) + x) - sin(y(l/x))cos x]/ cos(Kl/x)) (22) 
: log(x) = logr(x) + log(r(x = l)Hi/2(x)) - log(l - cosx) + l/21og(7tx/2) (23) 
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Identities that are equal to 1 are generally referred to as partitions of unity. 
Partitions of unity can be readily used in a given computation. Examples of this form 
of identity are collected as the following expressions (24): 

sin 2 x+cos 2 x = 1 (24) 

sec 2 (x + y) - tan 2 (x + y) = 1 

i 

(tanx + tany)/tan(x+y) + tanxtany = 1 
bi(r,x) + b 2 (r,s,x) + b 3 (r,s,x) + b 4 (s,x) = 1 

where the bi are "hat" functions defined by: 

bi(r 5 x) = max(l - x/r,0) 
b 2 (r,s,x) = max(0, min(x/r,(s - x)/(s - r))) 
b 3 (r,s,x) = max(0,min((x - r)/(s - r),(l - x)/(l - s))) 
b 4 (x,s) = max(0,(x - s)/(l - s)) 

each of which is a piecewise linear function with breakpoints at 0, r, s and/or 1 . 

Generalizations of this partition of unity are known for an arbitrary number of 

functions, arbitrary polynomial degree, arbitrary breakpoints, and arbitrary 

t 

smoothness' (less than the polynomial degree). Partitions of unity facilitate the 
introduction of unfamiliar and unrelated functions into symbolic expression. Thus the 
second partition of expressions (24) above becomes the following expression (25): 

sec 2 (y 7 (x) + u(1.07296, x)) - tan 2 (y 7 (x) + u(1.07296,x)) = 1 (25) 

where y 7 (x) is the Bessel function of fractional order and u(l. 07296, x) is the 
parabolic cylinder function. R.F. Boisvert, S. E. Howe, and D. K. Kahaner, Guide to 
Available Mathematical Software (GAMS): A framework for the management of 
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scientific software , ACM Trans. Math. Software, 11, (1995), 313-355, lists 48 classes 
of functions for which library software is available and is hereby incorporated by 
reference. 

Further, disguises may be enhanced by using functions and constants that 
appear in the actual arguments AA. Thus, if 2.70532, x 2 , cos(x) and log(x) initially 
appear in ap ordinary differential equation, one could use identities that involve these 
objects or closely related ones, e.g., 1.70532, 2x 2 - 1, cos(2x) or log (x + 1). Because 
of the difficulty in establishing identities, it is expected that using several identities in 
a mathematical model provides a corresponding increase in the degree of security. 
Further, one-time identities as follows may be provided. For example, there are 
several library programs to compute the best piecewise polynomial approximation to 
a given function f(x) with either specified or variable breakpoints as described 
in C. deBoor and J.R. Rice, An adaptive algorithm for multivariate approximation 
giving optimal convergence rates , J. Approx. Theory, 25, (1979), 337-359; and C. 
deBoor. A Practical Guide to Splines, SIAM Publications, (1978) that are hereby 
incorporated by reference in their entirety herein. It should be appreciated that with 
these techniques, the number of breakpoints and/or polynomial degrees can be 
increased to provide arbitrary precision in these approximations. Thus given the 
following expression (26): 

f(x) = sin(2.715x + 0.12346) / (1.2097 + x 107654 ) (26) 

or that f(x) is computed by a 1000 line code, one can use these library routines to 
replace f(x) by a code that merely evaluates a piecewise polynomial with 
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"appropriate" coefficients and breakpoints. One time identities may also use the 
classical mathematical special functions that have parameters, e.g., incomplete 
gamma and beta functions, Bessel function, Mathieu functions, spheroidal wave 
functions, and parabolic cylinder functions as further described in M. Abramowitz 
and L A. Stegun, Handbook of Mathematical Functions, Appl. Math. Series 55, 
National Bureau of Standards ., U. S. Govt. Printing Office, (1964) that is hereby 
incorporated by reference in its entirety herein. 

Having described a few different classes of disguises as listed in table II, it 
should be appreciated that this description is not intended to be exclusive, it being 
understood that other types of disguises as would occur to those skilled in the art are 
also contemplated. Further, while in some embodiments it is desirable to apply only 
one particular disguise operation prior to outsourcing, in other embodiments it may be 
desirable to enhance the degree of security by applying multiple disguise operations. 
Indeed, for a given type of outsourced computation, within each class of table II there 
may be several or many disguises that can be simultaneously utilized with or without 
disguises of one or more other classes. Likewise, some classes of disguises in library 
234 may be better suited to obscure or hide the actual arguments AA for a given type 
of outsourced computation than others. For example, it has been found that 
coordinate system changes are one of the more effective disguises for outsourced 
computations involving optimization and solutions of nonlinear systems. 

The selection of one or more disguises from library 234 and construction of a 
multiple disguise procedure may be based on several factors. One factor is the 
motivation to outsource. If the motivation includes a relative savings in processing 
time, then the time taken to perform operations 220, 260 should not defeat such 
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savings. For example, if the problem domain involves n x n matrices, then an 
operation count for operations 220, 260 on the order of n 2 might be acceptable to 
provide security for an outsourced computation that has an operation count on the 
order of n 3 , as is commonly associated with matrix inversion and multiplication. 

5 However, if the motivation concerns other matters such as availability of software or 
programming expertise, the relative processing time may be unimportant. Moreover, 
it should be understood that the invention is not intended to be limited to a particular 
motivation or relative distinction regarding the outsourced computation. 

Another factor is the invertability of the disguised result DR once the 

10 outsourced computation is completed. For example, it may be desired that the 

disguise be fully invertible - that is, after the disguise is applied and the disguised 
computation made, the actual answer S A may be recovered that corresponds to the 
actual arguments AA. Still, in other embodiments, it may only be desired that an 
approximated recovery be performed, so that the degree of recovery of actual answer 

15 SA may vary. 

' Still ' another factor is the degree of security afforded by a 'given form of 
disguise. Ideally, once a given disguise is applied, agent A (computing center 50) 
should not be able to discover either the original computation or its result; however, in 
practice, the level of security utilized may vary for a given situation. Yet another 

20 factor to consider is the relative cost of a particular disguise procedure. Generally, 
this operates as a trade-off with the degree of security sought. 

Program 230 is arranged to provide sequencing control of a disguise, 
outsourcing, retrieval and disguise inversion actions. As part of operation 220 
illustrated in Fig. 3, program 230 receives the actual arguments AA as input 222 and 

26 



4-48409/7024-395 

the type of computation selected to be outsourced as input 224. In response, program 
230 selects one or more disguise operations from library 234 in accordance with a 
suitable disguise procedure for inputs 222, 224. Program 230 may include a number 
of predetermined disguise procedures based on input 222 and/or input 224, operator 
input, one or more routines to synthesize a suitable procedure, or a combination of 
these. , 

In one embodiment, a routine to synthesize or suggest the disguise procedure 
may be determined, at least in part, from inputs corresponding to one or more of the 
previously described factors listed as follows: (a) outsourced computation type, (b) 
type/quantity of actual arguments, (c) processing constraints of subsystem 30 (such as 
the amount of preparation/recovery processing to be performed by subsystem 30), (d) 
motive for outsourcing, (e) degree of security desired, and (f) cost constraints. In still 
other embodiments, these factors may not be considered by program 230. Indeed, in 
one alternative embodiment, the particular disguise procedure is completely manually 
entered by an operator. 

' Once the disguise procedure is determined, program 230 constructs the 
disguised arguments DA using the selected disguise operations from library 234. 
Program 230 also coordinates the storage of appropriate disguise parameters in 
outsourced computation record 236 for later retrieval to recover the actual answer SA. 
Among its disguise operation routines, program 230 includes one or more routines to 
provide appropriate random objects with random number generators 232 as needed 
for a particular disguise procedure. A record 236 is maintained by program 230 for 
each outsourced computation at least until a result is received and processed via 
operation 260. Typically, the recorded parameters include relevant random numbers 
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or corresponding keys for one or more random numbers, the selected disguise 
operations applied, a reference to actual arguments AA corresponding to the given 
outsourced computation, and such other information as required to recover actual 
answer S A. After the disguised arguments DA are created, they are sent to the 
selected agent A, such as computing center 50, as output 250. 

Depending on a given disguise procedure, a substantial number qf "keys" may 
be needed to reconstruct an actual answer SA from a disguised result DR. For 
example, if a significant number of random objects are used, random number 
generator parameters, generator seeds, related coefficients and/or perhaps the random 
numbers themselves may be maintained in a corresponding record 236. It may be 
desirable to avoid keeping and labeling these keys individually. In one alternative 
embodiment of program 230, a master key is created that may be stored in record 236 
in lieu of a large number of keys for a given outsourced computation. This master key 
is provided to create an arbitrary number of derived keys or "sub-keys." For this 
embodiment, let K be the master key and k u i = 1,2,. . .,N be the sub-keys (where "i" is 
an integer index variable). The sub-keys k* are derived from K by a procedure P such 
as the following: 

(a) represent K as a long bit string (a 1 6 character key K generates 
128 bits using ASCII notation); 

(b) generate a bit string of length 128 bits with a random number 
generator G for each i = 1 ,2, . . . ,N; and 

(c) apply the randomly generated bit string of length 128 as a mask 
on the representation of K - select those bits of K where the random bit is 
one. 
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Thus, with a single key K and a random number generator G (such as one of 
generators 232), we can create many sub-keys. It should be appreciated that for 
procedure P, each k\ is easily derived from K; however, knowledge of even a 
substantial set of the k\ gives no information about K even if the generation procedure 
P is known. Correspondingly, because many of the sub-keys may be seeds or 
parameters for random number generators, large sets of random numbers can be used 
with a reduced risk of revealing the master key or other sub-keys even if a statistical 
attack on this aspect of the disguise is successful. 

Referring to Fig. 4, program 230 receives disguised result DR from computing 
center 50 as input 262. Program 230 references the corresponding record 236 to 
determine the processing needed to recover actual answer SA from the disguised 
result DR. The actual answer S A is provided as output 264 by program 230. 

Having described process 120 and operations 220, 260, the following 
examples of different types of outsourced computations are described, it being 
understood that these examples are merely illustrative and should not be considered 
limiting or restrictive in character. These examples are described in terms of system 
20 and process 120; however, other systems and processes may be utilized to execute 
these examples as would occur to those skilled in the art. Further, it should be 
understood that program 230 may include instructions or routines in accordance with 
one or more of the disguise operations of these examples, but one or more different 
programs and/or operator input of one or more operations may be utilized. Likewise, 
computer 52 of computing center 50 may be programmed to execute the outsourced 
computations associated with these examples, or different agents A may be used for 
the various procedures described in the examples. 
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EXAMPLE ONE 

Matrix multiplication of two nxn matrices Mi and M2 may be readily 
disguised in accordance with a first example of the present invention designated as 
5 disguise procedure DPI . Matrices Mi and M2 are the actual arguments AA to be 
outsourced. t For DPI, the kronecker delta function, S Ly is utilized which equals 1 if 
x = y and 0 if x * y. Subsystem 30 performs the following stages a.-c. to prepare 
disguised arguments DA in accordance with DPI : 

a. creates (i) three random permutations 7il, 7c2, and %3 of the integers 
10 { 1 ,2,. . . ,n} and (ii) three sets of non-zero random numbers 

{ai,a 2 ,... ) a n }, {Pi, p 2 ,...,Pn}> and {yi,y 2 ,...,y n }; 

b. creates matrices Pi, P 2 , and P 3 where Pi(i, j) = aiSfli^, P 2 (i, j) = 
Pi5it2(Qj> m & p 3(ij) = YiSjt3(i)j (these matrices are readily invertible, e.g., 
Pr^aj^fW; and 

15 . a computes the matrix X = P1M1P2" 1 (such that X(jj)= (oi/Pj)Mi(7cl(i), 

7i2(j))),andY = P 2 M 2 P 3 

Matrices X and Y define the disguised arguments DA for DPI ♦ Subsystem 30 sends 
the matrices X and Y to computing center 50. Computing center 50 determines the 

20 product Z -= XY = (PiMiP 2 _1 ) (P 2 M 2 P 3 ~ l ) - PiMiM 2 P 3 _1 and sends matrix Z back to 

1 

subsystem 30. Matrix Z is the disguised result DR for DPI . 

Subsystem 30 computes locally, in 0(n ) time, the matrix Pf ZP 3 , which 

equals MiM 2 , the actual answer SA; where the function 0(n 2 ) represents processing 

time on the order of and proportional to n 2 . It should be appreciated that the 
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outsourced computation by computing center 50 for DPI requires processing 
proportional to n 3 as represented by 0(n 3 ). 

EXAMPLE TWO 

At the expense of more complex disguise preparation by subsystem 30, a 
greater degree of security may be provided in a second matrix multiplication example 
designated as disguise procedure DP2. For DP2, subsystem 30 performs the 
following stages a.- c: 

a. compute matrices X = P1M1P2" 1 and Y = P2M2P3" 1 in accordance 
with disguise procedure DP 1 ; 

b. select two random n x n matrices Si and S2 and generate four 
random numbers 0, y, p f , y' such that (p + y)((p' + tWP ~ YP') * °l ^ 

c. compute the six matrices X + Si, Y + S 2) pX -^Si, pY -yS 2 , 
P'X-ySi,p'Y-YS 2 . 

The 'following three matrix multiplications are then outsourced by subsystem 30 to 
computing center 50: (a) W - (X + Si)(Y + S 2 ); (b) U = (pX - yS0(PY - yS 2 ); and (c) 
U' = (p'X - y'Si)(P'Y - y'S2). The results are returned by computing center 50 to 
subsystem 30. Subsystem 30 then locally computes matrices V and V; where 
V = (P + y) _1 (U + pyW) and V = (p' + y') "* (IT + p Y W). It should be appreciated 
that V = pXY +ySiS 2 , and V ' = P'XY + y 1 S1S2. Subsystem 30 outsources the 
computation: (y'p - yp ') " l (y' V - yV) as the disguised arguments DA which equal 
the product XY. Computing center 50 returns the remotely computed matrix product 
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XY (the disguised result DR); and subsystem 30 computes M1M2 from XY 
according to: Pi ^XYPs - Pi" 1 (PiM^ ~ ! )(P 2 M 2 P3 = MiM 2 . 

EXAMPLE THREE 

5 Disguise procedure DP3 as follows provides a third example of a disguised 

outsource4 matrix multiplication. DP3 utilizes DP2 and further impose? control on 
the length of random number sequences generated to provide a more robust random 
number generator disguise. For DP3, subsystem 30 defines L as the maximum length 
for a sequence from a random number generator so that M = [m/L] is the number of 

1 0 distinct random number generators 232 needed. Let G( A(i)), i = 1 ,2 . . . ,M be one-time 
random number generators. Each random generator has a vector A(i) of 12 
parameters/seeds. Correspondingly, non-zero vectors are provided for the three 
matrices Pi, P 2 , P3 used to disguise Mi and M 2 . Computing center 50 receives X = 
PiMiP 2 ~ [ and Y - P 2 M 2 P3 for the outsourced multiplication and returns matrix Z to 

1 5 subsystem 30. This approach further hampers the ability to successfully impose a 
statistical attack. Further, as long as computing center 50 is without information 
about Mi and M 2 , it appears a statistical attack is the only type of attack available. 

EXAMPLE FOUR 

20 In a fourth example, disguise procedure DP4 for the multiplication of non-square 

matrices is utilized; where Mi is / x m and M 2 is m x n, and hence: MiM 2 is / x n. 
For DP4, any of the procedures DPI , DP2, DP3 may be utilized with the sizes of the 
Pi and Si matrices being selected accordingly. For matrices S,- of DP2 or DP3, Si is of 
/ x m dimension and S 2 is of m x n dimension, because each of them is added to 
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matrices having such dimensions. For the matrices Pi it should be appreciated that Pi 
is constrained to be: (i) square so that it may be inverted, (ii) sized to be compatible 
with the number of rows of the matrices that it (or its inverse) left-multiplies, and (iii) 
sized to be compatible with the number of columns of the matrices that it (or its 
5 inverse) right-multiplies. For example, as P2 is used for left-multiplying M2, and M2 
has m rows, P2 should bemxm. The constraint that P2" right-multiplies Mi is 
compatible with the previous one, because Mi has m columns. 

EXAMPLE FIVE 

10 In a fifth example, dimension hiding is included for an outsourced matrix 

multiplication as disguise procedure DPS. For DPS, subsystem 30 defines Mi with 
dimension a x b matrix and M2 with dimension b x c matrix. Two or more matrix 
multiplications using one of the previously described matrix multiplication procedures 
DP1-DP4 are performed instead of just one. These substitute multiplications are 

15 performed with matrices having dimensions a\ b\ c* different from a, b, c. Hiding the 
dimensions' can be done by either enlarging or shrinking one (or'a combination of) the 
relevant dimensions. A dimension a is "enlarged" if a* > a, and "shrunk" if a 1 < a 
(similarly for b f and c 1 ). Although for convenience enlargement and shrinking are 
described separately, it should be understood that these operations alternatively can be 

20 done in combination. 

Enlarging a (so that it becomes a* > a) is performed by subsystem 30 by 
appending a* - a additional rows, having random entries, to matrix Mi. As a result, 
product M1M2 has a - a additional rows that may be ignored. Enlarging c (so that c* > 
c) is performed by subsystem 30 by appending c T - c additional columns, having 
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random entries, to matrix M2> causing the resulting product of M1M2 to have c 1 - c 
additional columns, that can be ignored. 

Alternatively or additionally, subsystem 30 may enlarge vector b by 
appending b'- b extra columns to the first matrix and b r - b extra rows to the second 
5 matrix. It should be appreciated that these additional rows and columns cannot have 
completely random entries because they may interact to corrupt the outsourced 
calculation result. Accordingly, to avoid any corruption, subsystem 30 preserves the 
dimensions of the resulting product matrix M1M2 by: (a) numbering the b - b extra 
columns 1,2,..., b'- b, and similarly numbering the extra rows 1,2,..., b- b; (b) 

10 selecting the entries of the odd-numbered extra columns and rows to be random and 
zero, respectively; and (c) selecting the entries of the even-numbered extra columns 
and rows to be zero and random, respectively. These operations assure that enlarging 
b does not cause a change in the matrix product M1M2. For embodiments that enlarge 
b in conjunction with enlargements of a and/or c, the enlargement of b is preferably 

15 performed first. 

^ Dimensional shrinking of a may be performed as part of DPS with subsystem 
30 by partitioning the first matrix Mi into two matrices: Mi 1 having the first a'- a rows 
and Mi" having the last a* columns. Matrix M 2 stays the same, but to get the a x c 
matrix, both products Mi'M 2 and Mi"M 2 are outsourced. Dimensional shrinking of c 

20 is performed by partitioning the second matrix M 2 into two matrices: M 2 having the 
first c'- c columns and M 2 " having the last c r columns. Matrix Mi stays the same, but 
to get the a x c matrix, both products M1M2 and MiM 2 r are outsourced. 

Additionally or alternatively, DPS may include dimensional shrinking of b. 
Subsystem 30 shrinks b by partitioning both matrices Mi, M 2 into two matrices. 

34 



4^8409/7024-395 

Matrix Mi is partitioned into matrix M{ having the first b - b' columns and matrix Mi" 
having the last b' columns. Matrix M 2 is partitioned into matrix M 2 f having the first b 
- b r rows and matrix M 2 " having the last b ? rows. The axe product matrix sought is 

thenMjW* MiW. 

DPS also optionally includes performing the three above shrinking operations 
together. This option results in a partition of each of matrices Mi and M2 into four 
matrices. Using, for example, the notation Mi([i:j], [k:l]) for the submatrix of Mi 
whose rows are in the interval [i:j] and whose columns are in the interval [k:l], then 
computing M1M2 requires the following four computations (a)-(d): 

(a) Mi([l :a-a'],[l :b-b'])M 2 (l : b-b'],[l : c-c']) + 

Mi([l : a - a'],[b - b* + 1 : b])M 2 ([b - V + 1 : b],[l : c - c']); 

(b) Mi([l : a - a'],[l : b - b'])M 2 (l : b - b'],[c - c' + 1 : c]) + 

Mi([l : a-a'L[b-b' + 1 : b])M 2 ([b-b' + 1 : b],[c-c> + 1 : c]); 

(c) Mi([a-a* + l :a],[l : b-b'})M 2 ([l: b-b'],[l :c-c']) + 

Mi([a - a 5 + 1 : a],[b - V + 1 : b])M 2 ([b - b' + 1 : b],[l : c - c>]); and 
1 (d) <Mi([a-a' + 1 : a],[l : b-b'})M 2 ([l: b-b'],[c-c J h- 1 : c]) + 

Mi([a-a' + l :a] ? [b-b ? + l :b])M 2 ([b-b' + 1 : b],[c-c* + 1 : c]). 

EXAMPLE SIX 

In a sixth example, a secure matrix inversion disguise procedure DP6 is 
provided for matrix M; where the entries of matrix M are the actual arguments AA. 
For DP6, the following steps a.- j. are performed: 

a. Subsystem 30 selects a random n x n matrix S. 
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b. Subsystem 30 securely outsources the matrix computation C = MS 
by executing one of the previously described procedures DP 1-3 or DPS as a 
subroutine of DP6. 

c. Subsystem 30 generates matrices Pi, P2,P3,P4,Ps using the same 
method as for the Pi matrix of DPI. That is, Pi(ij) = afinKM* p 2(ij) = bjS^eQj, 
P3O j) = c i 5 X 3( i )j ? P 4 (i j) = di5 n4 (i)j, and P 5 (i j) = e&csow, where jcl, n2 9 7t3, %4, %5 
are random permutations, and where a^bi, Ci f d\ 9 ej are random numbers. 

d. Subsystem 30 computes the matrices: Q = P1CP2" 1 = P1MSP2*" 1 
andR = P 3 SP 4 " 1 . 

e. Subsystem 30 outsources the computation of Q'\to computing 
center 50. 

f. If computing center 50 succeeds in determining Q" 1 , it returns Q" 1 to 
subsystem 30; otherwise computing center 50 indicates Q is not invertible to 
subsystem 30. If this indication is received by subsystem 30, it tests whether: 

(i) S is invertible by first computing S — S1SS2; where Si and S2 are 
1 , matrices known to be invertible, and outsources matrix S to computing 

center 50 for inverting. It should be understood that the only interest is 
whether S is invertible or not, not in its actual inverse. The fact S is 
discarded makes the choice of Si and S2 less crucial; however, 
choosing Si and S2 to be the identity matrices may not be desirable 
because it may make it easier to learn how the random matrices are 
generated. 
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(ii) If computing center 50 can invert S, then S is invertible, and hence 
M is not invertible. If the computing center 50 indicates S is not 
invertible, then S is not invertible. In that case, operations (a)-(f) of 
DP6 are repeated with a different S. 

» g. If Q is invertible, then, in accordance with the observation that 
Q" 1 = P 2 S" l M" 1 Pf 1 , subsystem 30 computes the matrix T = P 4 P2" 1 Q _1 Pi Ps" 1 
which is equal to P 4 S ~*M ~ } V 5 ~ l . 

h. Subsystem 30 outsources the computation of Z= RT to computing 
center 50 which serve as disguised arguments DA. One of DP1-DP3 or DPS 
may be utilized as a subroutine for this operation. 

i. Computing center 50 returns Z, the disguised result DR, to 
subsystem 30. 

j. Observing that Z- P 3 SP 4 " 1 P 4 S _1 M ^Ps" 1 = P 3 M l ¥ 5 '\ subsystem 30 
computes Pa^ZPs, which equals M the actual answer SA. 

■ i 

t 1 

EXAMPLE SEVEN 
In a seventh example, dimensional hiding is incorporated into secure matrix 
inversion in disguise procedure DP7. For DP7, hiding dimension n for matrix 
inversion may be achieved by: (a) using the dimension-hiding version of matrix 
multiplication described in connection with procedure DPS of Example Five, and (b) 
modifying stage "f." of DP6 to perform the inversion of Q by inverting a small 
number of n* x n 1 matrices where n f differs from n. Otherwise DP7 is performed the 
same as DP6. DP7 provides an option of enlarging the dimension of Q, (i.e., n T > n) 
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for which stage "f." of DP6 is modified to invert one n* x n r matrix Q r defined as 
follows; where the matrices O', O" are of n x (n* - n ) and (n' - n) x n dimension, 
respectively, and all of whose entries are zero, and S* is an (n 1 - n) x ( n' - n) random 
invertible matrix: 

Q'([l:n],[l:n]) = Q; 
QX[l:n],[n+l:n']) = 0'; 
Q'([n + 1 : n'],[l : n]) = O"; and 
QXtn+1 :n'],[n+l :n']) = S\ 

It should be understood that the inversion of Q' is not performed by sending it directly 
to computing center 50 as the zeros in it may reveal n. Rather, the inversion of Q is 
performed in accordance with DP6. 

Dimension shrinking may optionally be included in DP7 based on the premise 
that if X = Q ([l:m], [l:m]) is invertible (m < n), Y = Q ([m +1: n], [m + 1: n]), V = Q 

([1 : m], [m + 1 : n]), W = Q ([ m + 1 : n], [1 : m]), and D = Y - WX V is invertible, 

f 

then: ■ 

Q" ! ([l : m],[l : m]) = X' 1 + X'Vd^WX" 1 ; 
Q-'ffl : m],[m + 1 : n]) = -X^VD" 1 ; 
Q'\[m + 1 : n],[l : m]) - -D^WX" 1 ; and 
Q'\[m + 1 : n],[m+ 1 : n]) = D' 1 . 

Correspondingly, for DP7, Q is partitioned into four matrices X, Y, V, W. One of the 
secure matrix multiplication techniques DPI - DP3 or DPS and the secure matrix 
inversion of procedure DP6 are utilized to determine the four pieces of Q" 1 . 
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EXAMPLE EIGHT 
In an eighth example of the present invention, secure outsourcing of a linear 
system of equations is provided as disguise procedure DP8. For a system of linear 
equations, the actual arguments may be represented in the form Mx=b; where M is a 
square n x,n matrix, b is a vector of dimension n, and x is a vector of ^unknowns. 
For DP8, the following stages a.- e. are performed: 

a. Subsystem 30 selects a random n x n matrix B and a random 
number j e { 1 ,2, . . . ,n} and replaces the j ~th row of B by b such that: 

B = [Bi,...Bj_i, Bj + i, B n ]. 

b. Subsystem 30 generates matrices Pi, P2, P3 using the same method 
as for the Pi matrix in DPI, such that Pi(ij) = ^ n \ my P 2 (i j) = biS^oj, P3(ij) 
= CiSjgfly where %\, %2, n3 are random permutations, and where aj,bi, c;, are 
random numbers. 

c. Subsystem 30 computes the matrices C = P1MP2" 1 and G = P1BP3" 1 . 
( d. Subsystem 30 outsources the solution of the linear system Cx = G 

to computing center 50. If 6 is singular then computing center 50 returns a 
message with this indication; otherwise center 50 returns: IJ = C -1 G . 

e. Subsystem 30 computes X - P2~ 1 UP3 which equals M~ ! B, because: 
P2" ! UP 3 = P 2 " l C "^Pa = P2~ 1 P 2 M~ 1 Pr 1 PiBP3"" 1 P3 =M~ 1 B; where, the 
answer x (actual answer SA) is the j-th column of X, i.e., x = Xj. 
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EXAMPLE NINE 
In a ninth example, dimensional hiding of a linear system of equations is 
provided by disguise procedure DP9. For DP9, dimension n of the linear system of 
equations is hidden by embedding the problem Mx - b into a larger problem M r x' = b f 
5 of the size n* > n. In what follows, if X is an r x c matrix and Y is and r' xc'(r< r'), 
the notation "Y = X(*,[l :c])" means that Y consists of as many copies of X as needed 
to fill the r' rows of Y. It should be appreciated that the last copy could be partial, if r 
does not divide r\ For example, if r* — 2.5r then the notation would mean that: 
Y([l :r],[l :c]) = Y([r+l : 2r], [1 :c]) = X,and 
10 Y([2r + 1 : 2.5r], [1 : c]) = X([ 1 : 0.5r], [1 : c]). 

The larger problem M'x f = b* of size n'> n is defined as follows. The matrix 
M' and vector b' are defined as follows, where: the matrices O* and O n are of 
dimension nx(n'- n) and (n* - n) x n, respectively, all of whose entries are zero; S f is 
an (n* - n) x (n f - n) random invertible matrix, and y is a random vector of length ri-n: 
15 M'([l :n],[l :n]) = M; 

! , M ? ([l :n],[n+ 1 :n']) = 0'; 

M'([n + 1 : n'],[l : n]) - O"; 
M'([n+1 :n'],[n+l :n])-S'; 
V([l :n]) = b; and 
20 b'([n+l :n'])-SY 

Then the solution x f to the system M f x* = b' is x' ([1 : n]) = x and x' ([n + 1 , n']) = y. 
Note that the zero entries of O' and O" do not betray n because these zeroes are hidden 
when C = P1MP2 _1 is computed. As an alternative, matrices O* and O" need not have 
zeroes if: 
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a. O' is a random matrix (rather than a matrix of zeros); 

b. 0" = M(*,[l:n]); 

c. S' = 0'(*, [n+ 1 :n']);and 

d. b' = (b + 0*y)(*). 

If the selection of random values for y and matrix O' result in a noninvertible M', then 
the corresponding operations are repeated until an invertible M* results.. For an 
invertible M', the solutions x' to the system MV = b' remains x'([l : n]) = x and x' ([n 
+ 1, nT) = y because Mx + O'y = b'([ 1 : n]) = b + O'y and hence Mx = b. 

EXAMPLE TEN 

A tenth example is provided as disguise procedure DP 10 for a secure 
quadrature computation to be outsourced. For DP 1 0, the objective is to provide an 
estimate corresponding to the following expression (27): 

J f(x)dx (27) 

a 

witli accuracy designated as "eps". Expression (27) corresponds to the actual 
arguments AA to be disguised by DP 10. DP 10 proceeds in accordance with stages 
a.-e. as follows: 

a. Subsystem 30 chooses xi = a, x 7 = b and 5 ordered, random 
numbers Xi in [a,b] and 7 values v* with a range defined such that min | f(x) | 
« Mi <L M 2 * max | f(x) | ; where Mi and M 2 are estimations and the 
operators min | f(x) | and max | f(x) j return the minimum and maximum 
value of f(x), respectively. 
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b. Subsystem 30 creates a cubic spline g(x) with breakpoints Xi such 
that g(xi) = Vi . 

c. Subsystem 30 integrates g(x) from a to b to obtain Ii and sends 
g(x)+f(x) (the disguised arguments DA) and eps to computing center 50 for 
numerical quadrature. 

d. Computing center 50 returns I2 (the disguised result DR) to 

1, 

subsystem 30. 

e. Subsystem 30 computes h - h which is the actual answer SA. 

EXAMPLE ELEVEN 
In an eleventh example, a disguise procedure DPI 1 for quadrature 
computations is provided that is more robust with respect to an approximation 
theoretic attack. DPI 1 modifies DP 10 to add a second disguise function. 
Specifically, to assure that f(x) has a smoothness characteristic comparable to g(x). 
Further security enhancements may optionally be incorporated by using reverse 
coirimunica,tion as described in J.R. Rice, Numerical Methods. Software, and 
Analysis , 2d ed., Academic Press (1993), which is hereby incorporated by reference 
in its entirety, or by replacing f(x) with a high accuracy approximation as previously 
discussed in connection with random function determinations. 

EXAMPLE TWELVE 
In a twelfth example, disguise procedure DP 12 provides for secure 
outsourcing of a convolution computation of two vectors Mi and M 2 of size n, 
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indexed from 0 to n - 1 (the actual arguments AA)* It should be appreciated that the 
convolution M, of Mi and M2, is a new vector of the size 2n - 1, denoted by 
M = Mi ® M 2 , such that expression (28) follows: 

min(i,n— 1) 

M(t) = M x (k)M 2 (i-k). (28) 

k=0 

DP 12 includes the following stages a.-f.: 

a. Subsystem 30 randomly selects vectors Si, S2, of size n and five 
positive numbers a, p, y, p f , y' such that: (P + ay)(p' + ay')(y'p - yp') * 0. 

b. Subsystem 30 computes six vectors: aMi + Si, C1M2 + S2, 
PMj-ySi, pM 2 »yS 2 ,P r Mi-y l S 1? p'M 2 -+y'S 2 . 

a Subsystem 30 outsources to computing center 50 the three 
convolutions defined by expressions (29)-(31) that follow: 

W = (aMi + Si ) ® ( aM 2 + S 2 ); (29) 
U = (pMi-yS0 <g>(pM 2 -yS 2 );and (30) 
U' = (p'Mi-y'Sl) ®(P'M 2 -y , S 2 ). (31) 

d. Computing center 50 returns W, U, and U' to subsystem 30 as the 
disguised results DR. 

e. Subsystem 30 computes the vectors according to expressions (32) 
and (33) as follows: 

V-(p + ay)" 1 (aU + PyW) (32) 
V = ( p ' + ay') - 1 ( aU' + p'y * W ) (33) 

where it may be observed that V = aPMi ® M2 + ySi ® S 2 , and 

V - ap 1 Mi ® M 2 + ysi ® s 2 . 
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f. Subsystem 30 computes a" 1 ( y'p - yp' ) _I ( y 9 V - yV % which 
equals the actual answer S A, Mi ® M2 . 



Further, security of an outsourced convolution computation may be enhanced 
5 by hiding the dimension. The dimension may be expanded for a convolution 
computatipn by "padding" the two input vectors with zeroes. The zeroes do not 
betray the value of n because they are hidden through the addition of random 
numbers. Alternatively or additionally, the dimension may be hidden by shrinking the 
problem size with two operations: (a) replacing the convolution size n by three 

a 

fl 1 0 convolutions of size n/2 each, and then (b) recursively hiding (by shrinking or 

\Z * expanding) the sizes of these three convolutions with a recursion depth of 0(1). 

ru 

EXAMPLE THIRTEEN 
In a thirteenth example, disguise procedure DP 13 provides for secure 
outsourcing of the solution to a differential equation defined as a two point boundary 
value problem in expressions (34)-(36) that follow: 

y" + + a 2 (x)y = f(x,y); (34) 

y(a) = y 0 ; and (35) 
y(b) = yi. (36) 
The differential equation of expression (34) and the boundary conditions of 
expressions (35) and (36) are the actual arguments SA for DPI 3. DP13 proceeds in 
accordance with stages a,- d. as follows: 

a. Subsystem 30 selects a cubic spline g(x) and creates the function of 
expression (37) that follows: 
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u(x) - g" + a,(x)g' + a 2 (x)g. (37) 

b. Subsystem 30 sends the problem defined by the following 
expressions (38)-(40) as disguised arguments DA to computing center 50 for 
solution: 

y" + ai(x)y' + a 2 (x)y = f(x,y) + u(x); (38) 
{ y(a) = y 0 +u(a);and (39> 

y(b) = yi +u(b). (40) 

c. Computing center 50 solves the problem corresponding to 
expressions (38)-(40) and returns z(x), the disguised result DR, to subsystem 
30. 

d. Subsystem 30 computes the actual answer, z(x) - g(x). 

EXAMPLE FOURTEEN 
The outsourcing of computations may involve the transmission of a substantial 
amount of symbolic input, either pure mathematical expressions or high level 
programming language (Fortran, C, etc.) code. Such code can compromise security if 
provided without a disguise during outsourcing. Disguise procedure DP 14 of this 
fourteenth example describes various techniques to disguise symbolic information and 
to address security risks posed by "symbolic code analysis" attacks. Various 
operations that may be alternatively or collectively performed in accordance with 
DP14 include: 

(a) reducing or eliminating all name information in the code, including 
the deletion of all comments and/or removal of all information from variable 
names; 
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(b) utilizing approximations of basic mathematical functions, such as 
sine, cosine, logarithm, absolute value, exponentiation, to reduce the 
likelihood such functions can be readily identified by code inspection 
(techniques may include, for example, one time elementary function 
approximations for these functions using a combination of a few random 
parameters along with best piecewise polynomial, variable breakpoint 
approximations); 

(c) applying symbolic transformations such as changes of coordinates, 
changes of basis functions or representations, and use of identities and 
expansions of unity; and/or 

(d) utilizing reverse communication to avoid passing source code for 
numerical computations to agent A and to hide parts of the original 
computation. 

: jg 15 In one instance of reverse communication according to this example, it may be 

. h 

H desirable to avoid passing the code for the function u(x) to computing center 50; 

however, computing center 50 may be selected to do computations to provide x before 
u(x) needs to be determined, and further computing center 50 may selected to perform 
computations involving u(x) after u(x) is made available. Accordingly, subsystem 30 
20 receives x from computing center 50, evaluates u(x), and returns u(x) to computing 
center 50 for further processing in accordance with this reverse communication 
embodiment. 

In one instance of symbolic transformation according to this example, the 
readily recognizable differential equation given by expression (41) as follows: 
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y" + x*cos(x)y' + (x 2 + log(x))y = 1 + x 2 , (41) 
is disguised by applying the following symbolic transformations defined by 
expressions (42)-(47) that follow: 

cos 2 x - sin 2 y = cos(x + y) cos(x - y); (42) 
sec 2 (x + y)-tan 2 (x + y) = 1; (43) 
t (tanx + tany)/tan(x + y) + tanxtany== 1; (44) 
l+x = (l-x 2 )/(x-x); (45) 
sin(3(x+ y)) = 3sin(x + y) - 4sin 3 (x + y); and (46) 
a 2 -ax + x 2 = (a 3 + x 3 )/(a + x). (47) 
By rearranging and renaming, a more complicated result may be obtained as 
represented by expression (48); where the Greek letters are various constants that 
have been generated: 

(Pcos 2 x - 8) y" + x[cosx/(ycos(x+l)) - cosx sin(x + 1) tan (x + 1)]* 

[e- sin 2 x + s sin(x +1) - sin 2 xsin(x+l)]y ? 

+ [p(xcosx) 2 - r[(x + logx) + Ocosx log(x 2 )]* 

[r| sinx + 8 tanx + [xsinx + jicosx + v) / tan (x + 2)] y 

= ( 1 + x 2 )[sinx + ticosx] (48) 



Moreover, by further renaming and implementation of some elementary functions, 
including the replacement of the variable names by the order in which the variables 
appear, expression (48) is becomes expression (49) as follows: 

y ' 9 [xO 1 * x02(x) - x03] (49) 
+ y' [x04 * x / (x05 cos(x + 1) + cosx * x06(x) tan(x + 1)]* 

[x07 - sin 2 x- x08(x)sin 2 + x07sin 2 (x + 1)] 
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+ y[x0 1 * (x * x09(x)) 2 - x 1 0(x + logx) + x 1 1 cosxlogx 2 ]* 

[xl2 * xl3(x) + xl4tanx + xlSsinx + xl6cosx + xl7)] 
= sinx + xl8 * (1 + x 2 ) * x09(x) + xl9(x) + xl0*x 2 cosx. 

EXAMPLE FIFTEEN 
In example fifteen, disguise procedure DP 15 is applied to enhance security of 
an outsourced computation for detecting edges of an image represented by an n x n 
array of pixel values p(x,y) between 0 and 1 00,000 on the square 0 < x,y <_ 1 . DP 1 5 
includes the following stages a.- f.: 

a. Subsystem 30 sets xi,yi = 0, xio,yio = 1 > and selects: two sets of 8 
ordered, random numbers with 0 < Xi,yi < 1; 100 random values 0 < vy < 
50,000; and, 4 pairs (ai,bi) of positive, random numbers with ai = min(ai), 
a4 = max(ai)), bi = min(bi), b4 = max(bi). 

b. Subsystem 30 establishes the bi-cubic spline s(x,y) so that 
s(xi,yi) = Vy. 

c. Subsystem 30 determines the linear change of coordinates from 
(x,y) to (u,v) that maps the unit square into the rectangle with vertices (aj,bj). 

d. Subsystem 30 sends p(u(x,y), v(x,y)) + s(u(x,y), v(x,y)) as disguised 
arguments DA to computing center 50 to perform an edge detection 
computation. 

e* Computing center 50 generates the disguised result DR as an image 
e(u,v) showing the edges and returns e(u,v) to subsystem 30. 

f. Subsystem 30 computes e(x(u,v), y(u,v)) to obtain actual answer 
SA, the desired edges. 
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EXAMPLE SIXTEEN 
For example sixteen, secure outsourcing of template matching utilized for 
image analysis is provided by disguise procedure DP 16. For an N x N image I and a 
5 smaller n x n image object P, consider the computation ofan(N~n+l)x(N-n + 
1) score matrix Ci, P of the form given by expression (50) as follows: 



C/,p(m) = £ £ f(?(* + *.i + k%P((k,k% 0 < ij < N - n, (50) 

*=0 Jfc'=0 



10 for some function f. Score matrices are often used in image analysis, specifically in 
template matching, when one is trying to determine whether (and where) an object 
occurs in an image. A small Cij>(i j) indicates an approximate occurrence of the 
image object P in the image I (a zero indicates an exact occurrence). Frequent choices 
for the function f are f(x,y) - (x - y) 2 and f(x,y) = |x - y|. 

15 When the function f( x,y ) = ( x - y ) 2 is selected, DP 16 proceeds with stages 

a.-e. as follows: 

a. Subsystem 30 selects a random N x N matrix SI, and a random n x 
n matrix S2; and generates five positive random numbers a, p, y, p\ y* such 

that (0 + oy)(P' + ay'XY'P - YP') * 0. 
20 b. Subsystem 30 computes six matrices: al + SI, aP + S2, pl-ySl, pP 

-^yS2, P'l -y'Sl, P'P ~yS2, that serve as disguised arguments DA. 

c. Subsystem 30 outsources the computation of three score matrices 
C x ,y, to computing center 50; where there is one score matrix for each pair X,Y 
of the matrices received. 
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d. Computing center 50 calculates the matrices and returns them to 



subsystem 30 as defined by the following expressions (51)-(53): 



W- C(oI + Sl),(oP + S2) 



(51) 



U-C(pi- Y Sl)(pp-yS2) 



(52) 



U' ™ C(p'i_ T >si)(p'P-y'S2) 



(53) 



, e. Subsystem 30 computes the matrices V and V from W, U, and IT 
(the disguised results DR) as returned by computing center 50. The 
determination of matrices V and V* are in accordance with expressions (54)- 
(55) as follows: 



Subsystem 30 computes a _1 (y'P - yP>) ~ J (y' V - yV) from V and V* which 
equals Ci, P . 

When the function f( x,y ) = |x - y| is selected, DP 16 proceeds with a two- 
dimensional version of the convolution disguise procedure, DP 12; where A is defined 
as an alphabet, i.e., the set of symbols that appear in I or P; and for every symbol x 
e A, DP 16 proceeds with the following stages a.- h.: 

a. Subsystem 30 replaces, in I, every symbol other than x by 0 (every 
x in I stays the same); where I x is designated the resulting image. 

b. Subsystem 30 replaces every symbol that is < x by 1 in P, and 
replaces every other symbol by 0; where P x is designated as the resulting 
image. P x is augmented into an N x N matrix n x by padding it with zeroes 
which serves a first group of the disguised arguments DA. 



V = (p + ay)' 1 (aU + PyW); and 



(54) 



V> = (p 5 + ay 5 ) ~ ! (aU' + PYW). 



(55) 
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c. Subsystem 30 outsources the computation of the score matrix 
according to the following expression (56) to computing center 50: 

D x (iJ) = EEWHij'+^lM'), 0 < ij <N-n. (56) 

Expression (55) is a form of 2-dimensional convolution that can be outsourced 
using DP12. 

d. Subsystem 30 replaces, in P, every symbol other than x by 0 (every 
x in P stays the same); where P x ' is designated as the resulting image. P x ' is 
augmented into an N x N matrix II x ' by padding it with zeroes which serves 
as second group of the disguised arguments (DA). 

e. Subsystem 30 replaces every symbol that is < x by 1 in I, and every 
other symbol by 0; where I x ' is designated the resulting image. 

f. Subsystem 30 outsources the computation of the score matrix 
according to the following expression (57) to computing center 50: 

D' x (i,j) * EE £<* + *■ 3 + fc ')n*(M'), 0 < i,j < N - n. (57) 

Expression (56) is a form of 2-dimensional convolution that can be outsourced 
20 using DP12. 

g. Computing center 50 returns the computations corresponding to 
expressions (56) and (57) (the disguised results DR) to subsystem 30. 

h. Subsystem 30 computes the actual answer SA in accordance with 
expression (58) as follows: 
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CLP = E(D, + Dx) 



(58) 



EXAMPLE SEVENTEEN 
In example seventeen, a secure outsourcing technique for sorting a sequence 

of numbers E = {ei,. . en} is provided as disguise procedure DP 17. DP17 proceeds 

i, 

with stages a.- f. as follows: 

a. Subsystem 30 selects a strictly increasing function f : E — > R, such 
as f(x) = a + p( x-Hy ) 3 ; where p > 0. For this function f(x), subsystem 30 
selects a, P, and y in accordance with P > 0. 

b. Subsystem 30 generates a random sorted sequence A = {k\ 7 A,/} of 
/ numbers by randomly "walking" on the real line from MIN to MAX where 
MEM is smaller than the smallest number in E and MAX is larger than the 
largest number in E. Letting A = (MAX - MIN)/n, the random walking is 
implemented by subsystem 30 as follows: (i) randomly generate X\ from a 
uniform distribution in [MIN,MIN + 2A]; (ii) randomly generate X 2 from a 
uniform distribution in [X\, X\ + 2 A ]; and continue in the same way until 
MAX is exceeded, which provides a total number of elements /. It may be 
observed that A is sorted by the construction such that the expected value for 
the increment is A. Correspondingly, the expected value for / is given by: 
(MAX-MIN)/A = n. 

c. Subsystem 30 computes the sequences E 1 = f(E) and A 1 = f(A); 
where f(E) is the sequence obtained from E by replacing every element ej by 
f(ej), and concatenates the sequence A' to E f , obtaining W = E' u A\ 
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d. Subsystem 30 randomly permutes W, the disguised arguments DA, 
before outsourcing to computing center 50. 

e. Computing center 50 returns the disguised arguments DA as sorted 
result W\ 

5 f. Subsystem 30 removes A 1 from W ' to produce the sorted sequence 

E' and computes E = f ^E'), the actual answer SA. 
The value n may be revealed by this approach, because the number of items 
sent to the agent has expected value 2n. To provide greater security, n may be 
modified by letting A = (MAX - MIN) / m where m is a number independent of n. 
10 Therefore the size of the outsourced sequence is m + n, which hides the size of 
problem through expansion. 

EXAMPLE EIGHTEEN 
In example 18, secure outsourcing of a text string pattern matching 
1 5 computation is provided by disguise procedure DPI 8. For DPI 8, T is a text string of 
length N 5 P is a pattern of length n (n < N), and both are over alphabet A. DP 18 is 
based on establishing a score vector Ctj> such that Cr,p(i) is the number of positions at 
which the symbols of pattern P equal their corresponding symbols of text string T 
when the pattern P is positioned under the substring of T that begins at position i of T, 
20 such that it is in accordance with the following expression (59): 

H£lo S T(k+i),P(i) 

(59) 



where 8 x>y equals one if x = y and zero otherwise. 
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DP 18 performs the following stages a.-d. for every symbol x € A: 

a. Subsystem 30 replaces, in both T and P, every symbol other than x by 0, 
and every x by 1 ; and lets T x and P x be the resulting text and pattern, respectively. P x 
is augmented into a length N string n x by padding it with zeros. 

b. Subsystem 30 outsources to computing center 50 the computation of 

expression (60) as follows: 

i 

n-l 

D x (t) = £ I x (i + k)n x (k), 0 < i < N - n. (60) 

The terms of expression (60) (disguised arguments DA) define a form of 
convolution that may be securely outsourced using DP 12. 

c. Computing center 50 returns disguised result DR, the expression (60) 
computation, to subsystem 30. 

d. Subsystem 30 determines the actual answer SA, the score matrix Cj,p as: 

It should be appreciated that examples 1-18 are but a few of the forms of the 
embodiments of the present invention that may be utilized to provide secure 
outsourcing of one or more computations. Indeed, the stages, operations and 
techniques of these examples may be rearranged, combined, separated, deleted, 
altered, and added to other stages, operations, or techniques as would occur to those 
skilled in the art. 

Further, in one alternative embodiment of the present invention, a system 
dedicated to the performance of only a single type of disguise procedure is utilized. 
In another alternative, different types of outsourced computations may be 
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accommodated by a single disguise procedure or protocol. It should be appreciated 
that classification of the outsourced computation type for these alternative 
embodiments is optional. Indeed, even when selection of a disguise procedure is 
based on outsourced computation type, computation classification with one or more 
5 programs or computers is not needed; where, for example, an operator selects an 
appropriatp disguise procedure for a given outsourced computation. In, still other 
embodiments, classification may be partially operator-based or fully performed 
through the execution of one or more programs or routines. 

Also, it should be appreciated that multiple agents A may be utilized to 
10 perform different parts of a given outsourced computation. Moreover, outsourced 
computation results may be received by a different computer than the sending 
computer. For this example, the different computers of customer C may exchange 
information desired to recover actual answer S A. In still other embodiments, multiple 
sites or computers may be utilized to prepare the disguised arguments DA and/or 
1 5 receive the disguised result DR. 

Also, while both disguised arguments DA and disguised result DR are 
preferred, in other embodiments, it may be acceptable to reveal at least some of the 
actual arguments with only the result being disguised or to receive the actual answer 
with only the arguments being disguised. Further, while the term "arguments" has 
20 been used in the plural, it should be appreciated that the present invention includes 
embodiments that have only one argument. Correspondingly, while disguised result 
DR and actual answer SA have been used in the singular, it should be appreciated that 
the disguised result and/or actual answer may refer to a plurality. 

Yet another embodiment of the present invention includes: determining one 
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or more arguments to be outsourced; disguising the arguments by performing a local 
computation with a first computer; sending the disguised arguments to a second 
computer to perform the outsourced computation; and receiving a result of the 
outsourced computation. 
5 Still another embodiment of the present invention includes a computer, an 

output deyice, and an input device. The computer is uniquely programmed to 
determine a group of disguised arguments from a set of actual arguments. The 
disguised arguments hide one or more characteristics of the actual arguments. The 
disguised arguments are output by the output device for remote performance of the 

;fj 10 outsourced computation. The input device receives the result of the outsourced 

'C2 computation performed with the disguised arguments. 

;i| A further embodiment of the present invention includes operating a first 

□ computer in accordance with one or more instructions to perform an outsourced 

|3 mathematical operation. The first computer having received a number of disguised 

^ 1 5 arguments that hide a group of actual arguments for the outsourced mathematical 

operation. The outsourced mathematical operation is performed on the disguised 
arguments with the first computer, and the result of the outsourced mathematical 
operation is output by the first computer. 

In another embodiment, a system includes an input device to receive a 
20 plurality of disguised arguments that hide at least one characteristic of each of a 

number of actual arguments. The system also includes a computer responsive to the 
input device to perform an outsourced computation with the disguised arguments and 
provide a result of the outsourced computation. The system further comprises an 
output device to output the result for conversion to an actual answer corresponding to 
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the actual arguments. 

Still a further embodiment includes a computer readable medium that defines 
computer programming instructions to hide a group of actual arguments for a 
computation to be outsourced. The instructions provide for the generation of a group 
of disguised arguments corresponding to the actual arguments. The disguised 
argument^ are generated to provide a disguised result when provided for the 
computation. An actual answer is recoverable from the disguised result in accordance 
with the instructions. The actual answer corresponds to the results returned by the 
computation when the computation is provided the actual arguments. 

All publications, patents, and patent applications cited in this specification are 
herein incorporated by reference as if each individual publication, patent, or patent 
application were specifically and individually indicated to be incorporated by 
reference and set forth in its entirety herein. While the invention has been illustrated 
and described in detail in the drawings and foregoing description, the same is to be 
considered as illustrative and not restrictive in character, it being understood that only 
the preferred embodiment has been shown and described and that all changes, 
equivalents, and modifications that come within the spirit of the inventions defined by 
following claims are desired to be protected. 
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What is claimed is: 

1 . A method, comprising: 

determining a set of arguments for an outsourced computation; 

preparing a group of disguised arguments corresponding to the set of 
arguments! with a first computer; 

outputting the disguised arguments from the first computer for performance of 
the outsourced computation; and 

receiving a result of the outsourced computation performed with the disguised 
arguments. 

2. The method of claim 1, further comprising computing an actual answer from 
the result after said receiving. 

3. The method of claim 1, wherein said preparing includes: 

classifying the outsourced computation into one of a number of computation 

types; 

selecting one or more of a number of disguising operations based on said 
classifying; and 

performing the one or more disguising operations on the actual arguments 
with the first computer to provide the disguised arguments. 

4. The method of claim 3, wherein the computation types include matrix 
multiplication, matrix inversion, and convolution. 

58 



4-48409/7024-395 

5. The method of claim 4, wherein the computation types further include solution 
of a system of linear equations, solution of one or more differential equations, 
quadrature, image edge detection, character string pattern matching, and sorting. 

6. The method of claim 1 , further comprising: 

receiving the disguised arguments at a second computer remotely located 

relative to the first computer; 

performing the outsourced computation with the second computer; and 
sending the result from the second computer to the first computer, the result 

being in a disguised form relative to an answer obtained by submitting the actual 

arguments to the outsourced computation. 

7. The method of claim 1 , wherein said preparing includes generating a plurality 
of random numbers, the random numbers each being generated by one of a number of 
random number generation techniques, the techniques each including a different 
distribution parameter. 

8. The method of claim 7, wherein said preparing further includes defining a 
number of disguise functions with one or more of the random numbers. 

9. The method of claim 1, wherein said preparing includes modifying a linear 
operator. 
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1 0. The method of claim 1 , wherein said preparing includes altering a dimension 
corresponding to the actual arguments to provide the disguised arguments. 

1 1 . The method of claim 1 0, wherein said altering includes expanding the 
dimension. 

12. The method of claim 1 , wherein said preparing includes performing a function 
substitution in accordance with at least one mathematical identity. 

13. A method, comprising: 

operating a first computer in accordance with one or more instructions to 
perform an outsourced mathematical computation, the first computer receiving a 
number of disguised arguments that hide a group of actual arguments for the 
outsourced mathematical computation; 

performing the outsourced mathematical operation on the disguised arguments 
with the first computer; and 

outputting a result of the outsourced mathematical computation with the first 
computer. 

14. The method of claim 1 3 , further comprising: 

preparing the disguised arguments from the actual arguments with a second 

* 

computer; 

sending the disguised arguments to the first computer from the second 
computer; 

60 



4-48409/7024-395 

receiving the result at the second computer; and 

computing an actual answer from the result with the second computer. 

1 5 . The method of claim 1 3, wherein the outsourced mathematical computation 
corresponds to at least one of the group consisting of matrix multiplication, matrix 
inversion, ,and convolution. 

1 6. The method of claim 13, wherein the outsourced mathematical computation 
corresponds to at least one of the group consisting of solution of a differential 
equation, quadrature, character string pattern matching, and image edge detection. 

1 7. The method of claim 13, wherein the outsourced mathematical computation 
corresponds to at least one of the group consisting of solution to a system of linear 
equations and sorting. 

18. A system, comprising: 

a computer operable to define a set of actual arguments for an outsourced 
computation, said computer being programmed to determine a group of disguised 
arguments from the set of actual arguments, said disguised arguments hiding one or 
more characteristics of the set of actual arguments; 

an output device responsive to said computer to output the disguised 
arguments for remote performance of said outsourced computation; 

an input device to receive a result of said outsourced computation performed 
with said disguised arguments; and 
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wherein said computer is responsive to said input device to determine a 
desired answer from said result. 

1 9. The system of claim 1 8, wherein said computer is further programmed to 
classify said outsourced computation as being one of a number of types, said types 
including ^t least one of matrix multiplication, matrix inversion, and convolution. 

20. The system of claim 1 8, further comprising a computing center, said 
computing center being programmed to perform said outsourced computation with 
said disguised arguments. 

2 1 . The system of claim 1 8, wherein said computer includes a memory, a library 
of disguise operations being stored in said memory, said computer programming 
referencing said library to generate said disguised arguments. 

22. The system of claim 21 , wherein said disguise operations correspond to at 
least one of the group consisting of random object generation, argument dimension 
modification, mathematical identity substitution, and disguise function generation. 

23. The system of claim 1 8, wherein said computer includes instructions to 
generate a cubic spline to provide a disguise for said actual arguments. 

24. A system, comprising: 

an input device to receive a plurality of disguised arguments, said disguised 
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arguments hiding at least one characteristic of each of a number of actual arguments; 

a computer responsive to programming to perform an outsourced computation 
with said disguised arguments and provide a result of said outsourced computation; 
and 

an output device responsive to said computer to output said result for 
conversion to a desired answer corresponding to said actual arguments.. 

25. The system of claim 24, further comprising another computer programmed to 
generate said disguised arguments from said actual arguments. 

26. The system of claim 24, wherein said computer is operable to perform a 
number of different types of said outsourced computation, said types including matrix 
multiplication, matrix inversion, and convolution. 



27. The system of claim 24, wherein said programming includes a number of 
routines each corresponding to a different type of said outsourced computation, said 
routines corresponding to at least one of the group consisting of quadrature, solution 
of a differential equation, solution of a system of linear equations, image edge 
detection, character string pattern matching, and sorting. 

28. An apparatus, comprising: a computer readable medium, said medium 
defining computer programming instructions to hide a group of actual arguments for a 
computation to be outsourced, said instructions being operable to generate a group of 
disguised arguments corresponding to said actual arguments, said disguised 
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arguments being generated to provide a disguised result when provided for said 
computation, an actual answer being recoverable from said disguised result in 
accordance with said instructions, said actual answer being returned by said 
computation when said computation is provided said actual arguments. 

29. The apparatus of claim 28, further including a computer responsive to said 
programming instructions. 

30. The apparatus of claim 28, wherein said programming instructions are 
executable to classify said computation into at least one of a plurality of computation 
types, said computation types including matrix multiplication, matrix inversion, and 
convolution. 

3 1 . The apparatus of claim 28, wherein said programming instructions further 
define a library of disguise operations, said disguise operations corresponding to at 
least one of the group consisting of random object generation, dimension 
modification, and mathematical identity substitution. 

32. The apparatus of claim 28, wherein said programming instructions define a 
routine to generate a cubic spline to provide at least one disguise function. 

33. The apparatus of claim 28, wherein said programming instructions define a 
routine to provide a random function space to provide one or more disguise functions. 
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ABSTRACT 



A technique includes the determination of a set of arguments for an outsourced 
computation and preparing a group of disguised arguments corresponding to the set of 
arguments with a first computer. The first computer outputs the disguised arguments 
to a second computer. The second computer performs the outsourced computation 
with the disguised arguments to determine a corresponding disguised result. The 
second computer returns the disguised result to the first computer. The first computer 
recovers an actual answer from the disguised result. Before outsourcing, the first 
computer can classify the outsourced computation into one of a number of 
computation types and select one or more of a number of disguising operations based 
this classification. 
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